Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Ruby on rails Number Of NVD 106 CRITICAL 3 HIGH 34 MEDIUM 68 LOW 1
URL https://rubyonrails.org/
Explanation This is the most famous framework in Ruby.
Its basic philosophy is "Don't Repeat Yourself" and "Convention over Configuration".
Model View Controller (MVC) is used.

The latest major release contains bug fixes and security fixes.
The previous major release contains security fixes.
Earlier major releases are no longer supported.

Serious security issues may be addressed outside of support.
Tag
  • Ruby
  • MIT License
Add Information URL
No Type Name URL
1 https://rubyonrails.org/
2 https://guides.rubyonrails.org/maintenance_policy.html
3 https://railslts.com/
4 https://railsguides.jp/maintenance_policy.html
5 https://weblog.rubyonrails.org/releases/
6 https://github.com/rails/rails
7 https://rubyonrails.org/security/
List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support		 Extended
for a fee		 Critical High Medium Low
21 Ruby on rails 7.0 7.0.8.4 June 4, 2024 Dec. 15, 2021 1 2 4 0
22 Ruby on rails 6.1 6.1.7.7 Feb. 21, 2024 Dec. 9, 2020 1 6 6 0
23 Ruby on rails 6.0 6.0.6.1 Jan. 17, 2023 Aug. 16, 2019 2 8 9 0
24 Ruby on rails 5.2 5.2.8.1 July 12, 2022 April 9, 2018 2 10 5 0
25 Ruby on Rails 5.1 5.1.7 March 27, 2019 April 27, 2017 April 9, 2018 April 9, 2018 2 11 4 0
26 Ruby on rails 5.0 5.0.7.2 March 11, 2019 June 30, 2016 April 27, 2017 April 27, 2017 2 15 7 1
27 Ruby on rails 4.2 4.2.11.3 May 15, 2020 Dec. 20, 2014 June 30, 2016 Aug. 16, 2019 2 17 9 1
28 Ruby on rails 4.1 4.1.16 July 12, 2016 April 8, 2014 Dec. 20, 2014 Dec. 20, 2014 2 17 12 1
29 Ruby on rails 4.0 4.0.13 Jan. 6, 2015 June 25, 2013 April 8, 2014 Dec. 20, 2014 2 17 14 1
30 Ruby on rails 3.2 3.2.2.25 2 16 31 0
31 Ruby on rails 3.1 3.1.9 2 16 35 0
32 Ruby on rails 3.0 3.0.9 2 20 37 0
33 Ruby on rails 2.3 2.3.9 2 14 29 0
34 Ruby on rails 2.2 2.2.3 2 12 22 0
35 Ruby on rails 2.1 2.1.2 2 13 24 0
36 Ruby on rails 2.0 2.0.5 2 13 22 0
37 Ruby on rails 1.9 1.9.5 2 11 17 0
38 Ruby on rails 1.2 1.2.6 2 11 17 0
39 Ruby on rails 1.1 1.1.6 2 13 17 0
40 Ruby on rails 1.0 1.0.0 2 12 16 0
41 Ruby on rails 0.9 0.9.5 2 12 16 0
42 Ruby on rails 0.14 0.14.4 2 12 16 0
43 Ruby on rails 0.13 0.13.1 2 12 16 0
44 Ruby on rails 0.12 0.12.1 2 12 16 0
45 Ruby on rails 0.11 0.11.1 2 12 16 0
46 Ruby on rails 0.10 0.10.1 2 12 16 0
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2		 Level
Attach Vector		 Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date		 Show Affected Exploit
PoC
Search
21 8.8
6.5 		HIGH
Network 		The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE. CWE-94
Code Injection 		CVE-2020-8163 cpe:2.3:a:rubyonrails:rails:*:* 5.0.1 2024-11-21 14:38
2020-07-3 		Show GitHub Exploit DB Packet Storm
22 6.5
4.3 		MEDIUM
Network 		A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains. CWE-352
 Origin Validation Error 		CVE-2020-8167 cpe:2.3:a:rubyonrails:rails:*:* 6.0.0

6.0.3.1
5.2.4.3 		2024-11-21 14:38
2020-06-20 		Show GitHub Exploit DB Packet Storm
23 9.8
7.5 		CRITICAL
Network 		A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore pote… CWE-502
 Deserialization of Untrusted Data 		CVE-2020-8165 cpe:2.3:a:rubyonrails:rails:*:* 6.0.0

6.0.3.1
5.2.4.3 		2024-11-21 14:38
2020-06-20 		Show GitHub Exploit DB Packet Storm
24 7.5
5.0 		HIGH
Network 		A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters. CWE-502
 Deserialization of Untrusted Data 		CVE-2020-8164 cpe:2.3:a:rubyonrails:rails:*:* 6.0.0

6.0.3.1
5.2.4.3 		2024-11-21 14:38
2020-06-20 		Show GitHub Exploit DB Packet Storm
25 7.5
5.0 		HIGH
Network 		A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be m… CWE-434
 Unrestricted Upload of File with Dangerous Type  		CVE-2020-8162 cpe:2.3:a:rubyonrails:rails:*:* 6.0.0

6.0.3.1
5.2.4.2 		2024-11-21 14:38
2020-06-20 		Show GitHub Exploit DB Packet Storm
26 6.5
4.3 		MEDIUM
Network 		The encrypt/decrypt functions in Ruby on Rails 2.3 are vulnerable to padding oracle attacks. CWE-311
Missing Encryption of Sensitive Data 		CVE-2010-3299 cpe:2.3:a:rubyonrails:rails:2.3:* 2024-11-21 10:18
2019-11-13 		Show GitHub Exploit DB Packet Storm
27 9.8
7.5 		CRITICAL
Network 		A remote code execution vulnerability in development mode Rails <5.2.2.1, <6.0.0.beta3 can allow an attacker to guess the automatically generated development mode secret token. This secret token can … CWE-330
 Use of Insufficiently Random Values 		CVE-2019-5420 cpe:2.3:a:rubyonrails:rails:6.0.0:beta2
cpe:2.3:a:rubyonrails:rails:6.0.0:beta1
cpe:2.3:a:rubyonrails:rails:*:* 		5.2.2.1 2024-11-21 13:44
2019-03-27 		Show GitHub Exploit DB Packet Storm
28 7.5
7.8 		HIGH
Network 		There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and… CWE-770
 Allocation of Resources Without Limits or Throttling 		CVE-2019-5419 cpe:2.3:a:rubyonrails:rails:*:* 5.0.0
5.1.0
5.2.0





5.0.7.2
5.1.6.2
5.2.2.1
4.2.11.1 		2024-11-21 13:44
2019-03-27 		Show GitHub Exploit DB Packet Storm
29 7.5
5.0 		HIGH
Network 		There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the targ… NVD-CWE-noinfo
CVE-2019-5418 cpe:2.3:a:rubyonrails:rails:*:* 5.0.0
5.1.0
5.2.0
3.0.0





5.0.7.2
5.1.6.2
5.2.2.1
4.2.11.1 		2024-11-21 13:44
2019-03-27 		Show GitHub Exploit DB Packet Storm
30 7.5
5.0 		HIGH
Network 		A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to inform… CWE-502
 Deserialization of Untrusted Data 		CVE-2018-16476 cpe:2.3:a:rubyonrails:rails:*:* 5.2.0
4.2.0
5.0.0
5.1.0





5.2.1.1
4.2.11
5.0.7.1
5.1.6.1 		2024-11-21 12:52
2018-12-1 		Show GitHub Exploit DB Packet Storm